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March 8, 2004 



" ^oS The Commissioner of Patents 



Has received an application for a patent 
for a new and useful invention. The title 
and description of the invention are en- 
closed. The requirements of law have been 
complied with, and it has been determined 
that a patent on the invention shall be 
granted under the law. 

Therefore, this 



Grants to the person(s) having title to this 
patent the right to exclude others from 
making, using, offering for sale, or selling 
the invention throughout the United States 
of America or importing* the invention into 
the United States of America for the term 
setforth below, subject to the payment of 
maintenance fees as provided by law. 

If this application was fded prior to June 8, 
1995, the term of this patent is the longer of 
seventeen years from the date of grant of 
this patent or twenty years from the earliest 
effective U.S. filing date of the application, 
subject to any statutory extension. 

If this application was filed on or after June 8, 
1995, the term of this patent is twenty years 
from the earliest effective U.S. filing date 
of the application, subject to any statutory 
extension. 
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[57] ABSTRACT 

A system for automatically encrypting and decrypting data 
packet sent from a source host to a destination host across a 
public internetwork. A tunnelling bridge is positioned at 
each network, and intercepts all packets transmitted to or 
from its associated network. The tunnelling bridge includes 
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tables indicated pairs of hosts or pairs of networks between 
which packets should be encrypted. When a packet is 
transmitted from a first host, the tunnelling bridge of that 
host's network intercepts the packet, and determines from its 
header information whether packets from that host that are 
directed to the specified destination host should be 
encrypted; or, alternatively, whether packets from the source 
host's network that are directed to the destination host's 
network should be encrypted. If so, the packet is encrypted, 
and transmitted to the destination network along with an 
encapsulation header indicating source and destination 
information: either source and destination host addresses, or 
the broadcast addresses of the source and destination net- 
works (in the latter case, concealing by encryption the hosts' 
respective addresses). An identifier of the source network's 
tunnelling bridge may also be included in the encapsulation 
header. At the destination network, the associated tunnelling 
bridge intercepts the packet, inspects the encapsulation 
header, from an internal table determines whether the packet 
was encrypted, and from either the source (host or network) 
address or the tunnelling bridge identifier determines 
whether and how the packet was encrypted. If the packet 
was encrypted, it is now decrypted using a key stored in the 
destination tunnelling bridge's memory, and is sent on to the 
destination host. The tunnelling bridge identifier is used 
particularly in an embodiment where a given network has 
more than one tunnelling bridge, and hence multiple pos- 
sible encryption/decryption schemes and keys. In an alter- 
native embodiment, the automatic encryption and decryp- 
tion may be carried out by the source and destination hosts 
themselves, without the use of additional tunnelling bridges, 
in which case the encapsulation header includes the source 
and destination host addresses. 

17 Claims, 7 Drawing Sheets 
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